The latest disclosure is another blow to the Equifax. Since the breach, Equifax's CEO Richard Smith and top security officers resigned. In October, Smith testified in front of Congress and apologized for the breach.

Equifax first disclosed the bombshell hack in September 2017, three months after the company discovered the breach. Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.

It is not yet known who is responsible for the hack, but the investigation is ongoing.

It is unclear if the company will face consequences for leaking millions of people's sensitive data that could be used for identity theft.

The company is currently under investigation by multiple states attorneys general and faces a number of civil lawsuits.

In November, three Democratic senators introduced a data breach disclosure bill, called The Data Security and Breach Notification Act, that could introduce consequences for companies who do not responsibly deal with hacks.

The bill would require companies to report data breaches within 30 days. If someone at a business knowingly conceals a data breach, they could face up to five years in prison.

It is still early in the legislative process, so it's unclear if the law will eventually pass.